JS: Remove or update some mentions of AdditionalTaintStep

asgerf · asgerf · commit d74e84abd854 · 2021-03-17T13:29:17.000Z
diff --git a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-javascript-and-typescript.rst b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-javascript-and-typescript.rst
@@ -439,23 +439,24 @@ additional taint step from the first argument of ``resolveSymlinks`` to its resu
   }
 
 We might even consider adding this as a default taint step to be used by all taint-tracking configurations. In order to do this, we need
-to wrap it in a new subclass of ``TaintTracking::AdditionalTaintStep`` like this:
+to wrap it in a new subclass of ``TaintTracking::SharedTaintStep`` like this:
 
 .. code-block:: ql
 
-  class StepThroughResolveSymlinks extends TaintTracking::AdditionalTaintStep, DataFlow::CallNode {
-    StepThroughResolveSymlinks() { this = DataFlow::moduleImport("resolve-symlinks").getACall() }
-
+  class StepThroughResolveSymlinks extends TaintTracking::SharedTaintStep {
     override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
-      pred = this.getArgument(0) and
-      succ = this
+      exists(DataFlow::CallNode c |
+        c = DataFlow::moduleImport("resolve-symlinks").getACall() and
+        pred = c.getArgument(0) and
+        succ = c
+      )
     }
   }
 
 If we add this definition to the standard library, it will be picked up by all taint-tracking configurations. Obviously, one has to be
 careful when adding such new additional taint steps to ensure that they really make sense for `all` configurations.
 
-Analogous to ``TaintTracking::AdditionalTaintStep``, there is also a class ``DataFlow::AdditionalFlowStep`` that can be extended to add
+Analogous to ``TaintTracking::SharedTaintStep``, there is also a class ``DataFlow::AdditionalFlowStep`` that can be extended to add
 extra steps to all data-flow configurations, and hence also to all taint-tracking configurations.
 
 Exercises
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/PrototypePollutingAssignment.qll b/javascript/ql/src/semmle/javascript/security/dataflow/PrototypePollutingAssignment.qll
@@ -100,7 +100,7 @@ module PrototypePollutingAssignment {
     // users wouldn't bother to call Object.create in that case.
     result = DataFlow::globalVarRef("Object").getAMemberCall("create")
     or
-    // Allow use of AdditionalFlowSteps and AdditionalTaintSteps to track a bit further
+    // Allow use of AdditionalFlowSteps to track a bit further
     exists(DataFlow::Node mid |
       prototypeLessObject(t.continue()).flowsTo(mid) and
       any(DataFlow::AdditionalFlowStep s).step(mid, result)
diff --git a/javascript/ql/test/tutorials/Analyzing data flow in JavaScript/Global data flow/query5.ql b/javascript/ql/test/tutorials/Analyzing data flow in JavaScript/Global data flow/query5.ql
@@ -1,11 +1,12 @@
 import javascript
 
-class StepThroughResolveSymlinks extends TaintTracking::AdditionalTaintStep, DataFlow::CallNode {
-  StepThroughResolveSymlinks() { this = DataFlow::moduleImport("resolve-symlinks").getACall() }
-
+class StepThroughResolveSymlinks extends TaintTracking::SharedTaintStep {
   override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
-    pred = this.getArgument(0) and
-    succ = this
+    exists(DataFlow::CallNode c |
+      c = DataFlow::moduleImport("resolve-symlinks").getACall() and
+      pred = c.getArgument(0) and
+      succ = c
+    )
   }
 }
 
